Support » Plugin: Contact Form 7 » Recaptcha v3 token expiration issue (CF7 5.1.1)

  • There is problem with the current implementation of reCaptchav3 in CF7 5.1.1.

    reCaptchav3 tokens expire. That means that if you visit a web where a form is for a long time the token expires and when the form is sent the captcha validation fails.

    So this code:`
    <li>File: wp-content/plugins/contact-form-7/modules/recaptcha.php</li>
    <li>Function: wpcf7_recaptcha_verify_response</li>

    
    <code>return ! $service->verify( $token );</code>
    
    is going to fail.
    
    While trying to fix this issue on my own I found these two pages which had the same token expiration problem on their frontends.
    
    * <a href="https://stackoverflow.com/questions/54437745/recaptcha-v3-how-to-deal-with-expired-token-after-idle" rel="noopener noreferrer" target="_blank">reCAPTCHA V3: how to deal with expired token after idle?</a>
    * <a href="https://github.com/google/recaptcha/issues/281" rel="noopener noreferrer" target="_blank">Using reCAPTCHA v3 in the frontend</a>
    
    Not sure if the current code:
    
    

    <script type=”text/javascript”>
    ( function( grecaptcha, sitekey ) {

    var wpcf7recaptcha = {
    execute: function() {
    grecaptcha.execute(
    sitekey,
    { action: ‘homepage’ }
    ).then( function( token ) {`

    is equivalent to what its suggested in https://github.com/google/recaptcha/issues/281#issuecomment-435332795.

    Hopefully Neil Murray sees an obvious problem here and might fix it.

    I’m happy to review proposed code or beta plugins.

    Thank you very much!

    Note: As a workaround for this issue as many other people in the forum have suggested I’m going to turn off integration with reCaptchav3 and install this third party plugin: wpcf7-recaptcha (Contact Form 7 – reCaptcha v2). One of the reason is Google saying v2 is not going away in the short term on its faq page: https://developers.google.com/recaptcha/docs/faq .

Viewing 2 replies - 1 through 2 (of 2 total)
  • Just in case anyone of you want to verify my own findings in CF7 5.1.1.
    You can modify (after making a proper backup): wp-content/plugins/contact-form-7/modules/recaptcha.php .

    Before:

    function wpcf7_recaptcha_verify_response( $spam ) {
            if ( $spam ) {
                    return $spam;
            }
    
            $service = WPCF7_RECAPTCHA::get_instance();
    
            if ( ! $service->is_active() ) {
                    return $spam;
            }
    
            $token = isset( $_POST['g-recaptcha-response'] )
                    ? trim( $_POST['g-recaptcha-response'] ) : '';
    
            return ! $service->verify( $token );
    }

    After:

    function wpcf7_recaptcha_verify_response( $spam ) {
            if ( $spam ) {
             error_log( "MYDEBUG: Received spam is true" );
                    return $spam;
            }
    
            $service = WPCF7_RECAPTCHA::get_instance();
    
            if ( ! $service->is_active() ) {
             error_log( "MYDEBUG: Service is not active." );
                    return $spam;
            }
    
            $token = isset( $_POST['g-recaptcha-response'] )
                    ? trim( $_POST['g-recaptcha-response'] ) : '';
    
            $tmpverified = $service->verify( $token );
             error_log( "MYDEBUG: Token: (" . $token . ")" );
             error_log( "MYDEBUG: Verified: (" . $tmpverified . ")" );
            return ! $tmpverified;
            #return ! $service->verify( $token );
    }

    Then you can get your error_log files from Apache (or equivalent).

    If you get: MYDEBUG: Verified: () it means it was not a proper verified token.
    If you get: MYDEBUG: Verified: (1) then the form probably gets submitted ok.

    Sometimes I get an empty token too which might be another bug (different than the expired token one).

    Thank you again.

    @takayukister any thoughts on this? Seems like this could be a problem for a lot of people.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Recaptcha v3 token expiration issue (CF7 5.1.1)’ is closed to new replies.